Author Topic: SSG-5 and Remote Desktop  (Read 4291 times)

adrianr

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
SSG-5 and Remote Desktop
« on: February 01, 2008, 02:55:15 am »
Hi there,
Im new here and have been having some problems with my Juniper. I have a fairly basic setup with my Juniper connected directly to modem. Behind the Juniper I have a terminal services server with a fixed ip. I am trying to route all RDP requests to that particular IP using VIP. Please note that I want to use VIP and MIP as there are other things I would like to map in the near future. What I am trying to do at the moment is make just one VIP work. I have done all the policies and services. In the logs it says Close - AGE OUT. What does this mean? I am also sure that the server works through RDP as I have tried it directly.

My config is the below. Could you please see if I have something wrong as I am getting desperate:S.

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "RDP" + udp src-port 0-65535 dst-port 3389-3389
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "nAFTOsrNI8PJcyJDbsgAH/Kt4yJsrn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 194.158.43.45/29
set interface ethernet0/0 nat
set interface bgroup0 ip 192.168.0.250/24
set interface bgroup0 nat
set interface ethernet0/0 gateway 194.158.43.41
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface bgroup0 manage mtrace
set interface ethernet0/0 vip untrust 3389 "RDP" 192.168.0.1
set interface ethernet0/1 dhcp client enable
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "194.158.43.45/29" 194.158.43.45 255.255.255.248
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 name "Remote Desktop" from "Untrust" to "Trust"  "Any" "VIP(ethernet0/0)" "RDP" permit log
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit


kshymkiw

  • Full Member
  • ***
  • Posts: 134
  • Karma: +0/-0
    • View Profile
Re: SSG-5 and Remote Desktop
« Reply #1 on: February 01, 2008, 11:13:31 am »
Since you are logging the specific policy, what does the log say?

screenie.

  • Global Moderator
  • Atomic Playboy
  • *****
  • Posts: 1315
  • Karma: +1/-0
    • View Profile
Re: SSG-5 and Remote Desktop
« Reply #2 on: February 01, 2008, 02:42:20 pm »
AGe-out means the sessions hit a time-out. Is rhe route back from the server ok? Can you otherwise debug the session?

set ff dst-ip <ip of server>
debug flow basic
start rdp
undebug all
get db stream

and last step of this small procedure:

post the output in this forum (:-
Regards, Screenie
------------------------
JNSS, JNCIA, JNCIS, JNCIP, JNCI